This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

A Fresh Take

Insights on M&A, litigation, and corporate governance in the US.

| 3 minute read

Does California’s Delete Act Have the “DROP” on Data Brokers?: Updates and Insights from the Recent Stakeholder Session

The California Delete Act will make it easier for California consumers to request deletion of their personal information by so-called “data brokers,” a term that is much broader than companies may expect (see our prior blog post here). In particular, the Delete Act provides for a universal data deletion mechanism—known as the Data Broker Delete Requests and Opt-Out Platform, or “DROP”—that will allow any California consumer to make a single request for the deletion of their personal information by certain, or all, registered data brokers. In turn, by August 2026, data brokers will be required to regularly monitor, process, and honor deletion requests submitted through the DROP.

While the DROP’s policy objectives are fairly straightforward, it is less clear how the DROP will work in practice. For example, what measures will be taken to verify the identity of the consumer making the request, to ensure that the requesting party is the consumer they claim to be? What measures will be taken to verify that a person claiming to act as an authorized agent for a consumer actually has the right to request deletion of that consumer’s personal information? Unauthorized deletion of personal information may result in inconvenience or even loss or harm to individuals, which raises the stakes for the California Privacy Protection Agency (CPPA) as the agency responsible for building the DROP.

The CPPA recently held a virtual stakeholder session on June 26, 2024 to receive public comments on the Delete Act, and more specifically on development of the DROP. Attendees included researchers, data brokers, academics, privacy and cybersecurity attorneys, consumer protection experts, advertising and marketing professionals, nonprofit members, and more. 

Two major themes emerged over the course of the session:

1. How to Verify that the Deletion Request is a Bona Fide Request Made by the Actual Consumer or by their Authorized Agent

It is important to verify that the individual making the deletion request is the consumer whom they purport to be, or an authorized agent acting on that consumer’s behalf.  Unauthorized deletion of a consumer’s personal information in response to a fraudulent request may cause inconvenience, loss, or harm to the consumer. As a result, stakeholders generally acknowledged the importance of a solid consumer verification process, which also takes into account the role of authorized agents. With that said, commentators disagreed on many of the details of a verification process, identifying a range of issues for further consideration by the CPPA, including:

  • Requiring a minimum of two-factor authentication, consent-based IP address verification, or other methods, and how to balance the security of the verification process against the need for ease of use (especially by those who are less tech-savvy);
  • Limiting requests for additional personal information for identity verification, where this may have a chilling effect on exercising the deletion right;
  • Defining the extent of the CPPA’s responsibility to conduct verifications through the DROP, to what extent the CPPA might be allowed to delegate this responsibility to third-party agents, and to what extent data brokers will be responsible for performing their own verifications.

2. How to Mitigate Potential Overuse and Abuse of the DROP

Data brokers and privacy and cybersecurity professionals spoke about the issue of high volumes of deletion requests that businesses already face, particularly requests coming from potentially nefarious actors who might wish to capitalize upon the creation of a new tool in the data space. Some small companies that have set up their own data deletion request systems have gone from receiving 50 to 50,000 requests per day (e.g., from spoofed IP addresses). Other companies have also received inundations of deletion requests which they feel seem to be generated by the very entities that pitch themselves as the “solution” to managing deletion requests, perhaps seeing a business opportunity as opt-out mechanisms grow more common. Several stakeholders emphasized that the verification process will be important in helping to weed out fraudulent requests, thus decreasing the burden on data brokers in responding to legitimate requests.

Looking Ahead

The Delete Act is poised to change the landscape of data subject requests with the DROP. The CPPA is now in the process of writing draft regulations and building the DROP system, and the stakeholder session served to inform the first stage of its rulemaking process. The CPPA’s goal is for rulemaking to be completed by January 2026, although given the extent of new and novel issues presented by the DROP, this timing may still prove to be challenging.

This blog is co-authored by summer associate Ortal Isaac.

 

Tags

data protection, cybersecurity